In this paper, the approaches to introducing security policy into Role-Based Access Control (RBAC) and the Common Data Security Architecture (CDSA) are proposed. We apply security policy to a role's privileges in RBAC. An extended RBAC using PKI and role-assignment policy is described. The improved CDSA supports user-definable trust policy enforcement using trust policy description files. A policy-based CDSA is also presented. Furthermore, a role definition language is given, and a policy representation language is discussed.